Re: [gentoo-user] Re: How to grant a CAP_NET_RAW capability to user?

["Canek Peláez Valdés" <caneko@gmail.com>]

On Tue, Dec 10, 2013 at 12:56 PM, Grant Edwards
<grant.b.edwards@gmail.com> wrote:
> On 2013-12-10, Canek Pel??ez Vald??s <caneko@gmail.com> wrote:
>
>>> How do you grant a capability (e.g. CAP_NET_RAW) to a user?
>
>> From man:capabilities(7): "Capabilities are a per-thread attribute."
>>
>> I don't think you can grant any capability to a user.
>
> I've found some indications that you can.  Various references to
> PAM_CAP imply that I should be able to do what I want.  From
> http://blog.siphos.be/2013/05/restricting-and-granting-capabilities/:
>
>      You can also grant capabilities to users selectively, using
>      pam_cap.so (the Capabilities Pluggable Authentication Module).

I think my proposal could be implemented using PAM, but it would be
the same, I suppose.

> But the example provided only shows how to grant capabilities to a
> user that can then be inherited by files which must also have that
> same capability enabled.  That's not quite what I want to do (and it
> doesn't seem to work).

The restriction to files already having the capability is for security
reasons, obviously: if a user has certain capability, and she forgets
to change the others access to some executable, then anyone has the
capability (if I understand correctly).

> There are two reasons that granting the capability to the executable
> isn't feasible:
>
>   1) Some of the programs are written in Python, and I don't want to
>      grant the capability to all Python programs by setting the
>      capability on /usr/bin/python.

Again, create an executable with CAP_SETPCAP that executes the Python
programs and sets the capabilities for the running program.

>   2) Some of the programs are ELF executables (compiled C programs)
>      that are under developement and are being continuously re-built
>      and re-run.  If I have to do a "sudo setcap" everytime I
>      compile/run a program, then I might as well just do "sudo
>      <program>" the way I do now.

You can create (once) an executable with CAP_SETFCAP, which your build
system calls automatically every time you recompile and that sets the
CAP_NET_RAW capability for the resulting executable. Not very secure
anyway, but I think it could work.

>> A workaround for what you want is to write a little executable that
>> only execvp's bash (or whatever shell you use), grant that executable
>> CAP_NET_RAW, and then set it as default shell with usermod.
>
> I thought about that, but that seems fragile.

> I supposed I could set the capability on /bin/bash with +p instead of
> +ep, then it should only take effect for users who have the capability
> enabled (though I haven't been able to get that to work yet).

I think the problem is that you want to use capabilities in a way that
they are not designed for: you don't set capabilities at development
time, you do it at deployment time. I would develop in a container or
a VM until the program is ready and then deploy it with capabilities
enabled.

Regards.
-- 
Canek Peláez Valdés
Posgrado en Ciencia e Ingeniería de la Computación
Universidad Nacional Autónoma de México